iptables can use extended target modules: the following are included in
the standard distribution.
BALANCE
This allows you to DNAT connections in a round-robin way over a given
range of destination addresses.
--to-destination ipaddr-ipaddr
Address range to round-robin over.
CLASSIFY
This module allows you to set the skb->priority value (and thus clas-
sify the packet into a specific CBQ class).
--set-class MAJOR:MINOR
Set the major and minor class value.
CLUSTERIP
This module allows you to configure a simple cluster of nodes that
share a certain IP and MAC address without an explicit load balancer in
front of them. Connections are statically distributed between the
nodes in this cluster.
--new Create a new ClusterIP. You always have to set this on the
first rule for a given ClusterIP.
--hashmode mode
Specify the hashing mode. Has to be one of sourceip, sourceip-
sourceport, sourceip-sourceport-destport
--clustermac mac
Specify the ClusterIP MAC address. Has to be a link-layer mul-
ticast address
--total-nodes num
Number of total nodes within this cluster.
--local-node num
Local node number within this cluster.
--hash-init rnd
Specify the random seed used for hash initialization.
CONNMARK
This module sets the netfilter mark value associated with a connection
--set-mark mark[/mask]
Set connection mark. If a mask is specified then only those bits
set in the mask is modified.
--save-mark [--mask mask]
Copy the netfilter packet mark value to the connection mark. If
a mask is specified then only those bits are copied.
--restore-mark [--mask mask]
Copy the connection mark value to the packet. If a mask is spec-
ified then only those bits are copied. This is only valid in the
mangle table.
DNAT
This target is only valid in the nat table, in the PREROUTING and OUT-
PUT chains, and user-defined chains which are only called from those
chains. It specifies that the destination address of the packet should
be modified (and all future packets in this connection will also be
mangled), and rules should cease being examined. It takes one type of
option:
--to-destination ipaddr[-ipaddr][:port-port]
which can specify a single new destination IP address, an inclu-
sive range of IP addresses, and optionally, a port range (which
is only valid if the rule also specifies -p tcp or -p udp). If
no port range is specified, then the destination port will never
be modified.
You can add several --to-destination options. If you specify
more than one destination address, either via an address range
or multiple --to-destination options, a simple round-robin (one
after another in cycle) load balancing takes place between these
adresses.
DSCP
This target allows to alter the value of the DSCP bits within the TOS
header of the IPv4 packet. As this manipulates a packet, it can only
be used in the mangle table.
--set-dscp value
Set the DSCP field to a numerical value (can be decimal or hex)
--set-dscp-class class
Set the DSCP field to a DiffServ class.
ECN
This target allows to selectively work around known ECN blackholes. It
can only be used in the mangle table.
--ecn-tcp-remove
Remove all ECN bits from the TCP header. Of course, it can only
be used in conjunction with -p tcp.
LOG
Turn on kernel logging of matching packets. When this option is set
for a rule, the Linux kernel will print some information on all match-
ing packets (like most IP header fields) via the kernel log (where it
can be read with dmesg or syslogd(8)). This is a "non-terminating tar-
get", i.e. rule traversal continues at the next rule. So if you want
to LOG the packets you refuse, use two separate rules with the same
matching criteria, first using target LOG then DROP (or REJECT).
--log-level level
Level of logging (numeric or see syslog.conf(5)).
--log-prefix prefix
Prefix log messages with the specified prefix; up to 29 letters
long, and useful for distinguishing messages in the logs.
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk if the log is
readable by users.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
--log-uid
Log the userid of the process which generated the packet.
MARK
This is used to set the netfilter mark value associated with the
packet. It is only valid in the mangle table. It can for example be
used in conjunction with iproute2.
--set-mark mark
MASQUERADE
This target is only valid in the nat table, in the POSTROUTING chain.
It should only be used with dynamically assigned IP (dialup) connec-
tions: if you have a static IP address, you should use the SNAT target.
Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down. This is the
correct behavior when the next dialup is unlikely to have the same
interface address (and hence any established connections are lost any-
way). It takes one option:
--to-ports port[-port]
This specifies a range of source ports to use, overriding the
default SNAT source port-selection heuristics (see above). This
is only valid if the rule also specifies -p tcp or -p udp.
MIRROR
This is an experimental demonstration target which inverts the source
and destination fields in the IP header and retransmits the packet. It
is only valid in the INPUT, FORWARD and PREROUTING chains, and user-
defined chains which are only called from those chains. Note that the
outgoing packets are NOT seen by any packet filtering chains, connec-
tion tracking or NAT, to avoid loops and other problems.
NETMAP
This target allows you to statically map a whole network of addresses
onto another network of addresses. It can only be used from rules in
the nat table.
--to address[/mask]
Network address to map to. The resulting address will be con-
structed in the following way: All ’one’ bits in the mask are
filled in from the new ‘address’. All bits that are zero in the
mask are filled in from the original address.
NOTRACK
This target disables connection tracking for all packets matching that
rule.
It can only be used in the
raw table.
REDIRECT
This target is only valid in the nat table, in the PREROUTING and OUT-
PUT chains, and user-defined chains which are only called from those
chains. It alters the destination IP address to send the packet to the
machine itself (locally-generated packets are mapped to the 127.0.0.1
address). It takes one option:
--to-ports port[-port]
This specifies a destination port or range of ports to use:
without this, the destination port is never altered. This is
only valid if the rule also specifies -p tcp or -p udp.
REJECT
This is used to send back an error packet in response to the matched
packet: otherwise it is equivalent to DROP so it is a terminating TAR-
GET, ending rule traversal. This target is only valid in the INPUT,
FORWARD and OUTPUT chains, and user-defined chains which are only
called from those chains. The following option controls the nature of
the error packet returned:
--reject-with type
The type given can be
icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
which return the appropriate ICMP error message (port-unreach-
able is the default). The option tcp-reset can be used on rules
which only match the TCP protocol: this causes a TCP RST packet
to be sent back. This is mainly useful for blocking ident
(113/tcp) probes which frequently occur when sending mail to
broken mail hosts (which won’t accept your mail otherwise).
(*) Using icmp-admin-prohibited with kernels that do not support it
will result in a plain DROP instead of REJECT
ROUTE
This is used to explicitly override the core network stack’s routing
decision. mangle table.
--oif ifname
Route the packet through ‘ifname’ network interface
--iif ifname
Change the packet’s incoming interface to ‘ifname’
--gw IP_address
Route the packet via this gateway
--continue
Behave like a non-terminating target and continue traversing the
rules. Not valid in combination with ‘--iif’ or ‘--tee’
--tee Make a copy of the packet, and route that copy to the given des-
tination. For the original, uncopied packet, behave like a non-
terminating target and continue traversing the rules. Not valid
in combination with ‘--iif’ or ‘--continue’
SET
This modules adds and/or deletes entries from IP sets which can be
defined by ipset(8).
--add-set setname flag[,flag...]
add the address(es)/port(s) of the packet to the sets
--del-set setname flag[,flag...]
delete the address(es)/port(s) of the packet from the sets,
where flags are src and/or dst and there can be no more than six
of them.
The bindings to follow must previously be defined in order to use
multilevel adding/deleting by the SET target.
SNAT
This target is only valid in the nat table, in the POSTROUTING chain.
It specifies that the source address of the packet should be modified
(and all future packets in this connection will also be mangled), and
rules should cease being examined. It takes one type of option:
--to-source ipaddr[-ipaddr][:port-port]
which can specify a single new source IP address, an inclusive
range of IP addresses, and optionally, a port range (which is
only valid if the rule also specifies -p tcp or -p udp). If no
port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023
inclusive will be mapped to ports below 1024, and other ports
will be mapped to 1024 or above. Where possible, no port alter-
ation will occur.
You can add several --to-source options. If you specify more
than one source address, either via an address range or multiple
--to-source options, a simple round-robin (one after another in
cycle) takes place between these adresses.
TCPMSS
This target allows to alter the MSS value of TCP SYN packets, to con-
trol the maximum size for that connection (usually limiting it to your
outgoing interface’s MTU minus 40). Of course, it can only be used in
conjunction with -p tcp.
This target is used to overcome criminally braindead ISPs or servers
which block ICMP Fragmentation Needed packets. The symptoms of this
problem are that everything works fine from your Linux firewall/router,
but machines behind it can never exchange large packets:
1) Web browsers connect, then hang with no data received.
2) Small mail works fine, but large emails hang.
3) ssh works fine, but scp hangs after initial handshaking.
Workaround: activate this option and add a rule to your firewall con-
figuration like:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
--set-mss value
Explicitly set MSS option to specified value.
--clamp-mss-to-pmtu
Automatically clamp MSS value to (path_MTU - 40).
These options are mutually exclusive.
TOS
This is used to set the 8-bit Type of Service field in the IP header.
It is only valid in the mangle table.
--set-tos tos
You can use a numeric TOS values, or use
iptables -j TOS -h
to see the list of valid TOS names.
TRACE
This target has no options. It just turns on packet tracing for all
packets that match this rule.
TTL
This is used to modify the IPv4 TTL header field. The TTL field deter-
mines how many hops (routers) a packet can traverse until it’s time to
live is exceeded.
Setting or incrementing the TTL field can potentially be very danger-
ous,
so it should be avoided at any cost.
Don't ever set or increment the value on packets that leave your local
network!
mangle table.
--ttl-set value
Set the TTL value to ‘value’.
--ttl-dec value
Decrement the TTL value ‘value’ times.
--ttl-inc value
Increment the TTL value ‘value’ times.
ULOG
This target provides userspace logging of matching packets. When this
target is set for a rule, the Linux kernel will multicast this packet
through a netlink socket. One or more userspace processes may then sub-
scribe to various multicast groups and receive the packets. Like LOG,
this is a "non-terminating target", i.e. rule traversal continues at
the next rule.
--ulog-nlgroup nlgroup
This specifies the netlink group (1-32) to which the packet is
sent. Default value is 1.
--ulog-prefix prefix
Prefix log messages with the specified prefix; up to 32 charac-
ters long, and useful for distinguishing messages in the logs.
--ulog-cprange size
Number of bytes to be copied to userspace. A value of 0 always
copies the entire packet, regardless of its size. Default is 0.
--ulog-qthreshold size
Number of packet to queue inside kernel. Setting this value to,
e.g. 10 accumulates ten packets inside the kernel and transmits
them as one netlink multipart message to userspace. Default is
1 (for backwards compatibility).
2012年3月22日 星期四
IPTABLES TARGET EXTENSIONS
訂閱:
張貼留言 (Atom)
-
from: https://www.wpgdadatong.com/tw/blog/detail?BID=B0594 一. PHY包含的各個子層 : PCS:編碼和解碼 PMA:串行器和反序列化器 PMD:取決於物理介質 Firgure 1: OSI模型裡示意...
-
From: http://blog.chinaaet.com/justlxy/p/5100064818 SMI:串行管理接口(Serial Management Interface),通常直接被稱為MDIO接口(Management Data Input/Output I...
-
from:https://zhuanlan.zhihu.com/p/36165475 VXLAN(Virtual eXtensible Local Area Network)或許是目前最熱門的網絡虛擬化技術。 網絡虛擬化是指在一套物理網絡設備上虛擬出多個二層網絡。 VXL...
沒有留言:
張貼留言